2016-09-22 12:43:57 +00:00
---
title: About the shadow Resource
---
# shadow
Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only readable by the `root` user. The format for `/etc/shadow` includes:
* A username
* The password for that user (on newer systems passwords should be stored in `/etc/shadow` )
* The last time a password was changed
* The minimum number of days a password must exist, before it may be changed
* The maximum number of days after which a password must be changed
* The number of days a user is warned about an expiring password
* The number of days a user must be inactive before the user account is disabled
* The number of days a user account has been disabled
These entries are defined as a colon-delimited row in the file, one row per user:
dannos:Gb7crrO5CDF.:10063:0:99999:7:::
2017-10-03 21:35:10 +00:00
<br>
2016-09-27 19:03:23 +00:00
## Syntax
2016-09-22 12:43:57 +00:00
A `shadow` resource block declares one (or more) users and associated user information to be tested:
describe shadow do
its('users') { should_not include 'forbidden_user' }
end
2017-10-25 16:23:52 +00:00
or with a single query:
describe shadow.users('root') do
its('count') { should eq 1 }
end
2016-09-22 12:43:57 +00:00
or with a filter:
2017-10-25 16:23:52 +00:00
describe shadow.filter(min_days: '0', max_days: '99999') do
2016-09-22 12:43:57 +00:00
its('count') { should eq 1 }
end
2017-10-25 16:23:52 +00:00
The following properties are available:
* `users`
* `passwords`
* `last_changes`
* `min_days`
* `max_days`
* `warn_days`
* `inactive_days`
* `expiry_date`
* `reserved`
2016-09-22 12:43:57 +00:00
2017-10-25 16:23:52 +00:00
Properties can be used as a single query or can be joined together with the `.filter` method.
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
<br>
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
## Examples
The following examples show how to use this InSpec audit resource.
### Test for a forbidden user
describe shadow do
its('users') { should_not include 'forbidden_user' }
end
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
### Test that a user appears one time
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
describe shadow.users('bin') do
its('passwords') { should cmp 'x' }
its('count') { should eq 1 }
end
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
<br>
2016-09-22 12:43:57 +00:00
2017-10-03 21:35:10 +00:00
## Matchers
2016-09-22 12:43:57 +00:00
2018-01-31 12:24:16 +00:00
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2016-09-22 12:43:57 +00:00
2016-09-27 19:03:23 +00:00
### count
2016-09-22 12:43:57 +00:00
The `count` matcher tests the number of times the named user appears in `/etc/shadow`:
its('count') { should eq 1 }
2017-10-25 16:23:52 +00:00
This matcher is best used in conjunction with filters. For example:
2016-09-22 12:43:57 +00:00
describe shadow.users('dannos') do
its('count') { should eq 1 }
end
2016-09-27 19:03:23 +00:00
### expiry_dates
2016-09-22 12:43:57 +00:00
The `expiry_dates` matcher tests the number of days a user account has been disabled:
its('expiry_dates') { should eq '' }
2016-09-27 19:03:23 +00:00
### inactive_days
2016-09-22 12:43:57 +00:00
The `inactive_days` matcher tests the number of days a user must be inactive before the user account is disabled:
its('inactive_days') { should eq '' }
2016-09-27 19:03:23 +00:00
### last_changes
2016-09-22 12:43:57 +00:00
The `last_changes` matcher tests the last time a password was changed:
its('last_changes') { should eq '' }
2016-09-27 19:03:23 +00:00
### max_days
2016-09-22 12:43:57 +00:00
The `max_days` matcher tests the maximum number of days after which a password must be changed:
its('max_days') { should eq 90 }
2016-09-27 19:03:23 +00:00
### min_days
2016-09-22 12:43:57 +00:00
The `min_days` matcher tests the minimum number of days a password must exist, before it may be changed:
its('min_days') { should eq 0 }
2016-09-27 19:03:23 +00:00
### passwords
2016-09-22 12:43:57 +00:00
2017-10-27 08:31:48 +00:00
The `passwords` matcher returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.
2016-09-22 12:43:57 +00:00
For example:
its('passwords') { should cmp '*' }
2016-09-27 19:03:23 +00:00
### users
2016-09-22 12:43:57 +00:00
The `users` matcher tests if the user name exists `/etc/shadow`:
its('users') { should eq 'root' }
2016-09-27 19:03:23 +00:00
### warn_days
2016-09-22 12:43:57 +00:00
The `warn_days` matcher tests the number of days a user is warned about an expiring password:
its('warn_days') { should eq 7 }